Twitter Security Hole Left Accounts Open to Hijack

Micro-blogging service Twitter.com has fixed a vulnerability that until Wednesday night allowed users to create fake posts on other users' Twitter pages, or sign up fellow users for a deluge of potentially wallet-busting text messages.

Twitter is designed to let people blog from their phones, by sending text (aka "short message service" or SMS) messages or "Tweets" that will then appear on the user's Twitter.com home page. Any Twitter users who are "following" or have syndicated that account will then receive updates on their Web sites about what that user is doing. Twitter users can choose to receive updates from other users via their own home page, through their phone, or both.

The authentication weakness allowed anyone who knew your mobile number to spoof messages to your Twitter.com home page so that they appeared to have come from you, provided your mobile phone number was set up to post and/or receive Twitter messages. That's because Twitter determines which home page should display new messages by checking the "sender ID" field, the area in all mobile text messages that includes the sender's telephone number.

Lance James, a security researcher and author of the book "Phishing Exposed," found that anyone could authenticate and hijack a Twitter account by using SMS spoofing services, such as my-cool-sms.com, or phonytext.com.. These Web sites allow users to mask what phone number they are texting from by letting the user input whatever phone number they want to appear in the "from" field.

Armed with Twitter's helpful "text commands" settings that users can change via their cell phones -- an attacker could turn on or off another user's phone notifications, or force that account to follow other Twitter users, or stop receiving notification from specific users on their list, James discovered. One could even use these features to instantly force other Twitter users to start following their Tweets. In addition, anyone who has their Facebook status set to be automatically updated by Twitter could have that message changed through this vulnerability as well.

Using this approach, one could even blast out a note to all of a Twitter users' followers, urging them to follow a link to a malicious Web site.

As it turns out, these attack scenarios are not new, and Twitter has known about them for nearly two years. In April 2007, security researcher Nitesh Dhanjaniwrote about a nearly identical threat to Twitter via SMS spoofing.

When Security Fix initially approached Twitter about this problem, Twitter co-founder Biz Stone dismissed the claim as inaccurate, though he ignored my offers to give him a direct demonstration using his own Twitter page.

"Your information is incorrect. We implemented PIN protection later that very afternoon in April 2007 for users outside the U.S. and it remains in Device Settings to this day," Biz wrote in an e-mail. "[Mobile] carriers in the U.S. have their own systems for blocking SMS spoofing."

Indeed, most U.S.-based mobile carriers have put in place measures to block SMS spoofing on their networks. But this is generally not the case for international mobile networks (hence Twitter's option for international users to require the entry of a PIN before a Tweet will be accepted).

U.S. Twitter users update their Twitter pages by texting their Tweets to the number 404040, but this number won't cut it for international users. So, Twitter provides a series of international numbers that non-U.S. Twitter fans can use. This functionality is documented quite nicely in Twitter's own support pages, which lists several international numbers that can be used to send tweets.

But SMS spoofing services will just as happily allow users to make it appear as though their call is coming from any phone number in the world. And for whatever reason, when U.S. users spoofed their texts to appear to be coming from one of the numbers Twitter provides to international users, the Twitter blog system would accept those incoming Tweets without a PIN challenge.

After I explained to Stone that the attack used Twitter's international features, he changed his tune.

"Ah, so if you sign up to this service, and you know someone's U.S. mobile number, and they have that number associated with Twitter, then you can post a message to their account via international longcode. I get it," Biz wrote back. "We'll fix that right now and deploy. I'll also remind folks outside the U.S. that they should make use of the SMS PIN option on Twitter. Thanks for bringing this to my attention."

Sure enough, within hours Twitter had plugged the hole, although doing so created trouble for users trying to sign in to their accounts or create new ones.

Interestingly, the very same attack vector that allowed anyone to spoof a tweet from a Twitter account also could be used to to attach a new mobile number to an existing Twitter account.

If you log in to your Twitter account and then proceed to add a mobile phone number to the account, Twitter forces you to send its servers a text message from that mobile line containing a pseudo-random 5-letter code supplied by Twitter. But, until Wednesday, an attacker could have just as easily used SMS spoofing services to fake that message as well, and indeed this worked in my testing after James walked me through how to test these vulnerabilities using a dummy Twitter account.

True, the mobile phone attached to that number would receive a text message that the line had been added to a Twitter account, but if that account were already subscribed to follow hundreds of other Twitter feeds, that mobile number would quickly be flooded with Tweets in the form of text messages from other Twitter users that account is following. For a mobile phone user with a low quota of free text messages each month, this could become a rather expensive incident. And if the victim had never heard of Twitter, it may be some time (and many hundreds of expensive text messages later) before they even figure out what was happening.

James said the Twitter attack is but one example of how so-called "two-factor" authentication mechanisms -- which combine something you know like a password with something you have, like a cell phone -- may be vulnerable.

"Where you have this interconnection between mobile devices and the Web, there will always exist these kinds of obvious problems between trusted devices," James said. "People need to remember that these approaches aren't always foolproof, and that weaknesses in one technology can allow an attacker to break the whole thing."

Update, Mar. 6, 10:00 a.m.: As noted by Lance James in the comments below, and by the good folks at The H (the English language side of Heise Security in Germany), Twitter's fix for this vulnerability doesn't stop users in the U.K. and Germany from spoofing Tweets.

Update, Mar. 8, 3:44 p.m. ET: Twitter says some 750 Twitter accounts were broken into and had a link to a webcam site posted on the accounts. Twitter is still investigating to determine how the attackers broke in, but the service is urging users to ensure their accounts are protected with a strong password.

Additional info:
So far, in my testing, I have not found a "pin" being offered for international twitter customers. Maybe it's activated by IP, but if that's the case, it should be activated based on the phone number for the mobile device, e.g. if it's +44(PhoneNumber) then it should offer the PIN. These fixes are a stopgap, and I'm hoping twitter is going to offer pin to all customers, US or otherwise. As it stands, it is STILL possible to execute both attack vectors (spoofing accounts and adding devices) if the number linked to twitter is an international number. I added a fake international number to my twitter account and am able to continue the mischief. This is problematic for all international customers, as SMS service is quite costly outside the US. Secondly, this "stopgap" fix limits US customers to the 40404 short code, and they can not send to any international codes, which breaks usage when roaming internationally on some networks. Additionally, an attacker can validate phone numbers using twitters front page link: http://twitter.com/account/complete
Screenshot walkthrough of existing foreign twitter spoofing. At this time I'm adding a device that pretends to be one of the twitter sms gateways. http://lancejssc.tumblr.com

Not having 'unlimited time' to pursue some of the technical aspects of writing code, or even being able to understand it for that matterm I am compelled to rely on 3rd party software to protect my system as best I can.

Hijack This was one such program recommended by another reader within the last week or so, in combination with Superantispyware & Malware Bytes Antimalware, but running Hijack This produces a list of 'potentially suspect files' that is all Greek to me.

Now I must imagine that I could individually Google the file names, extensions, etcm but there must be a more effective and time efficient way for those IMPACTED by this recession to check these files out.